A computing device that performs private key operations, such as signatures and/or decryptions, risks exposure of its private key if captured. While encrypting the private key with a password is common, this provides only marginal protection, since passwords are well-known to be susceptible to offline dictionary attacks. Much recent research has explored techniques for providing better password protections for the private keys on devices that may be captured.
One technique provides for encrypting the private key under a password in a way that prevents the attacker from verifying a successful password guess. This technique is referred to as cryptographic camouflage, see, e.g., D. N. Hoover et al., “Software Smart Cards via Cryptographic Camouflage,” 1999 IEEE Symposium on Security and Privacy, pp. 208-215, May 1999, the disclosure of which is incorporated by reference herein.
Another technique provides for forcing the attacker to verify his password guesses at an online server before the use of the private key is enabled, thereby turning an offline attack into an online one that can be detected and stopped. This technique is described in the commonly-assigned U.S. patent application identified as Ser. No. 10/072,331 filed on Feb. 7, 2002, and entitled “Methods and Apparatus for Providing Networked Cryptographic Devices Resilient to Capture,” the disclosure of which is incorporated by reference herein. In accordance with this server-based approach, the server may be untrusted (e.g., its compromise does not reduce the security of the device's private key unless the device is also captured) and need not have a prior relationship with the device.
The server-based approach offers certain advantages over the cryptographic camouflage approach, e.g., the server-based approach is compatible with existing infrastructure, whereas cryptographic camouflage requires that public keys be hidden from potential attackers.
However, the server-based approach requires that the device interact with a designated server in order to perform a (and typically each) private key operation. This interaction may become a bottleneck if the designated server is geographically distant and the rate of private key operations is significant.
Thus, there exists a need for techniques which overcome drawbacks associated with the approaches described above and which thereby make networked cryptographic devices more resilient to capture while minimizing or eliminating any potential bottleneck situations.